Cyber security and business need each other. However, while cyber security learns the language of business, business refuses to learn the language of cyber security.
In fact, there is historical evidence that business will trash whatever gets in the way of profits, which security does.
So said Pete Herzog, co-founder and member of the board of directors of the Institute for Security and Open Methodologies, speaking during his keynote address at ITWeb Security Summit 2019, in Sandton, this morning.
“If cyber security was an animal, it would be a raccoon, protecting the dumpster it eats out of while thinking that washing its hands in the creek somehow makes it dignified.”
He said this is why cyber security professionals are unhappy. “There’s a lot of burnout, depression, substance abuse. It’s a really tough job. But not for all. If you’re one of the ones who got into cyber security because you like to hang out with middle-aged white men with big egos who humble-brag a lot, then you’re getting a treat.”
Still, cyber security tries. “Pundits keep saying we need to learn the language of business, but business should also learn the language of cyber security. Every time you read about cyber security, they say you must learn the language of business, but don’t expect cyber security to show up in business. Not in the language, not in the thoughts. There is no real incentive for them to learn it, so they won’t.”
Business schools still do not need to teach cyber security, Herzog added. “Remember, business doesn’t get fired for bad cyber security; they get fired for making bad deals.”
Business needs us, and we need business. It’s textbook co-dependence, except business doesn’t realise it yet. “Business still thinks it needs to sow its wild oats. Meanwhile, security is getting desperate, and trying like hell to make security sexier so they’ll pay attention to us.”
He noted we try to sell cyber security as a way to increase profits, keep customers and maintain a good stock price. “In truth, cyber security is a cost centre, with a loss motive and no real profit incentive. We also play the compliance and regulation card, to get government to help, and to try to get the public to demand that business pay attention to security.
“Yet, at the party, business is flirting through the crowd and flashing that trillion-dollar smile that it wouldn’t have, if not for cyber security. Business doesn’t care.”
So how do we move forward? “Cyber security is built on human suffering. Only we can stop the vicious cycle of abuse. As a research organisation, we’ve done the numbers, and the number of ways a threat can move through a small 20-person network is ‘1 x 10 to the 121st’.
“If you think you can do threat detection, you would need a hard drive the size of the universe. And that’s for a small network. In any network, for each interactive process, there are ‘1 x 10 to the 34’ variables I have to keep under consideration. Less than the number of threats, but if I took one second for each, enough to last a lifetime.”
He said the first change is to stop using patching as a security defence. “It isn’t. You can never be fast enough. Next, stop using vulnerability scans as a security tool. They only tell you what needs to be patched, they don’t really help you. They can enhance vulnerability management, sure. But not as a main way of maintaining security.
“Everything you have installed in your enterprise has unmitigated vulnerabilities, you just don’t know about them.”
Change number three, Herzog said, is to stop worrying about having defence-in-depth. “It’s like adding more and more blankets as you get cold. Just putting on layers. Yeah, it works. However, it doesn’t work in cyber space. You can’t keep putting the same protection over and over something and think it will be effective. It isn’t.”
Next, he said breaches do not happen because security is hard; they happen because people think security is not hard. “Trust me, it’s really, really hard. I’m all for AI and automation and any tools that can make it easier, because it is that hard. There are too many variables. It is never easy. In security everything matters.”
Change number five is cyber hygiene. “Good passwords, malware detection, threat detection, awareness training, automated patching; it is all a misdirection of resources. Most of it is based on identification which is broken in any case, and you end up scuttling after nothing. It is labour-intensive and it will make you miserable.”
Finally, change number six is to realise that people are not the weakest link. “They are not a link at all; they are an asset, but you cannot count on them. They are not your security. Everyone makes mistakes because we are tired.”
Enforcing password managers and similar tools to ensure users do not rely on weak passwords and logins is far more effective.
“In conclusion, I’ll say winners don’t quit, and quitters don’t win. If you neither win nor quit, you work in cyber security.”